New EU e-payments rules to make shopping safer

(BRUSSELS) - The revised payment services directive, adopted Monday by the EU Commission, is designed to provide consumers with more convenient and innovative payment solutions, whether buying in shops or online.

The new rules rules implement the EU's recently-revised Payment Services Directive (PSD2) which aims to modernise Europe's payment services so as to keep pace with this rapidly evolving market and allow the European e-commerce market to blossom.

The rules allow consumers to use innovative services offered by third party providers, also known as FinTech companies, while maintaining rigorous data protection and security for EU consumers and businesses. These include payment solutions and tools for managing one's personal finances by aggregating information from various accounts.

A key objective of PSD2 is to increase the level of security and confidence of electronic payment. In particular, PSD2 requires payment service providers to develop strong customer authentication (SCA). Today's rules therefore have stringent, built-in security provisions to significantly reduce payment fraud levels and to protect the confidentiality of users' financial data, especially relevant for online payments. They require a combination of at least two independent elements, which could be a physical item - a card or mobile phone - combined with a password or a biometric feature, such as fingerprints before making a payment.

PSD2 also establishes a framework for new services linked to consumer payment accounts, such as the so-called payment initiation services and account information services. These innovative services are already on offer in many EU countries but thanks to PSD2 they will be available to consumers across the EU, subject to strict security requirements. The rules specify the requirements for common and secure standards of communication between banks and FinTech companies.

Following adoption of the Regulatory Technical Standards by the Commission, the European Parliament and the Council have three months to scrutinise them. Subject to the scrutiny period, the new rules will be published in the Official Journal of the EU. Banks and other payment services providers will then have 18 months to put the security measures and communication tools in place.